xref: /freebsd/tools/test/stress2/misc/syzkaller93.sh (revision 4f8a1b4dffa8a6fa5fbe7fce05278792afd83a82) 
1#!/bin/sh
2
3# (pass0:ahcich1:0:0:0): xpt_action_default: CCB type 0x380 0x380 not supported
4# panic: _free(0): addr 0xfffff802f7e5a7b8 slab 0xffffffffffffffff with unknown cookie 3
5# cpuid = 8
6# time = 1773835096
7# KDB: stack backtrace:
8# db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe00ffe5fc60
9# vpanic() at vpanic+0x136/frame 0xfffffe00ffe5fd90
10# panic() at panic+0x43/frame 0xfffffe00ffe5fdf0
11# free() at free+0x213/frame 0xfffffe00ffe5fe30
12# xpt_release_ccb() at xpt_release_ccb+0x50/frame 0xfffffe00ffe5fe60
13# xpt_done_process() at xpt_done_process+0x3e0/frame 0xfffffe00ffe5fea0
14# xpt_done_td() at xpt_done_td+0x145/frame 0xfffffe00ffe5fef0
15# fork_exit() at fork_exit+0x82/frame 0xfffffe00ffe5ff30
16# fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe00ffe5ff30
17# --- trap 0, rip = 0, rsp = 0, rbp = 0 ---
18# KDB: enter: panic
19# [ thread pid 4 tid 100122 ]
20# Stopped at      kdb_enter+0x33: movq    $0,0x15e9d32(%rip)
21# db> x/s version
22# version: FreeBSD 16.0-CURRENT #0 main-n284537-a8b9a05d3cad-dirty: Tue Mar 17 09:39:44 CET 2026
23# pho@mercat1.netperf.freebsd.org:/usr/src/sys/amd64/compile/PHO
24# db>
25
26# Reproducer obtained from: Jiaming Zhang <r772577952@gmail.com>
27# [Bug 293893] panic: _free(NUM): address ADDR(ADDR) has not been allocated
28
29[ `id -u ` -ne 0 ] && echo "Must be root!" && exit 1
30
31. ../default.cfg
32set -u
33prog=$(basename "$0" .sh)
34cat > /tmp/$prog.c <<EOF
35// autogenerated by syzkaller (https://github.com/google/syzkaller)
36
37#define _GNU_SOURCE
38
39#include <pwd.h>
40#include <stdarg.h>
41#include <stdbool.h>
42#include <stdint.h>
43#include <stdio.h>
44#include <stdlib.h>
45#include <string.h>
46#include <sys/endian.h>
47#include <sys/syscall.h>
48#include <unistd.h>
49
50uint64_t r[1] = {0xffffffffffffffff};
51
52int main(void)
53{
54  syscall(SYS_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul,
55          /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul,
56          /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x1012ul,
57          /*fd=*/(intptr_t)-1, /*offset=*/0ul);
58  const char* reason;
59  (void)reason;
60  intptr_t res = 0;
61  if (write(1, "executing program\n", sizeof("executing program\n") - 1)) {
62  }
63  //  openat\$pass_pass_cdevsw arguments: [
64  //    fd: const = 0xffffffffffffff9c (8 bytes)
65  //    file: ptr[in, buffer] {
66  //      buffer: {2f 64 65 76 2f 70 61 73 73 30 00} (length 0xb)
67  //    }
68  //    flags: open_flags = 0x2 (4 bytes)
69  //    mode: const = 0x0 (4 bytes)
70  //  ]
71  //  returns fd_pass_pass_cdevsw
72  memcpy((void*)0x200000000100, "/dev/pass0\000", 11);
73  res = syscall(SYS_openat, /*fd=*/0xffffffffffffff9cul,
74                /*file=*/0x200000000100ul, /*flags=O_RDWR*/ 2, /*mode=*/0);
75  if (res != -1)
76    r[0] = res;
77  //  sendfile arguments: [
78  //    fd: fd (resource)
79  //    s: sock_in (resource)
80  //    offset: intptr = 0x4 (8 bytes)
81  //    nbytes: int64 = 0x4 (8 bytes)
82  //    hdtr: ptr[in, sf_hdtr] {
83  //      sf_hdtr {
84  //        headers: ptr[in, array[iovec_in]] {
85  //          array[iovec_in] {
86  //            iovec_in {
87  //              addr: nil
88  //              len: len = 0x0 (8 bytes)
89  //            }
90  //            iovec_in {
91  //              addr: ptr[in, buffer] {
92  //                buffer: {} (length 0x0)
93  //              }
94  //              len: len = 0x0 (8 bytes)
95  //            }
96  //          }
97  //        }
98  //        hdr_cnt: len = 0x2 (4 bytes)
99  //        pad = 0x0 (4 bytes)
100  //        trailers: nil
101  //        trl_cnt: len = 0x0 (4 bytes)
102  //        pad = 0x0 (4 bytes)
103  //      }
104  //    }
105  //    sbytes: nil
106  //    flags: sf_flags = 0x1 (8 bytes)
107  //  ]
108  *(uint64_t*)0x200000001ac0 = 0x200000000280;
109  *(uint64_t*)0x200000000280 = 0;
110  *(uint64_t*)0x200000000288 = 0;
111  *(uint64_t*)0x200000000290 = 0x200000000380;
112  *(uint64_t*)0x200000000298 = 0;
113  *(uint32_t*)0x200000001ac8 = 2;
114  *(uint64_t*)0x200000001ad0 = 0;
115  *(uint32_t*)0x200000001ad8 = 0;
116  syscall(SYS_sendfile, /*fd=*/(intptr_t)-1, /*s=*/(intptr_t)-1, /*offset=*/4ul,
117          /*nbytes=*/4ul, /*hdtr=*/0x200000001ac0ul, /*sbytes=*/0ul,
118          /*flags=SF_NODISKIO*/ 1ul);
119  //  ioctl\$CAMIOQUEUE_pass_cdevsw arguments: [
120  //    fd: fd_pass_pass_cdevsw (resource)
121  //    cmd: const = 0x20001a04 (8 bytes)
122  //    arg: ptr[in, ptr[in, ccb\$pass_cdevsw]] {
123  //      nil
124  //    }
125  //  ]
126  *(uint64_t*)0x200000000240 = 0;
127  syscall(SYS_ioctl, /*fd=*/r[0], /*cmd=*/0x20001a04ul,
128          /*arg=*/0x200000000240ul);
129  return 0;
130}
131EOF
132mycc -o /tmp/$prog -Wall -Wextra -O0 /tmp/$prog.c || exit 1
133
134timeout 3m /tmp/$prog > /dev/null 2>&1
135
136rm -rf /tmp/$prog /tmp/$prog.c /tmp/$prog.core
137exit 0
138